PUP.NewPlayer is a potentially unwanted program (PUP) that masquerades as a legitimate media player or video codec installer while delivering intrusive advertisements, browser modifications, and bundled software to unsuspecting users. Despite its benign-sounding name, this application serves primarily as an advertising platform that generates revenue for its operators through pay-per-install schemes and affiliate marketing rather than providing any genuine multimedia functionality. Users typically discover PUP.NewPlayer on their systems after downloading what appeared to be a necessary video player update or codec pack from a questionable website.

PUP.NewPlayer — cybersecurity illustration
Photo by Daniil Komov on Pexels

While not technically a virus in the traditional sense, PUP.NewPlayer exhibits aggressive behavior that compromises system performance and user privacy. It often arrives bundled with freeware installers, hiding its installation behind deceptive "Express" setup options that users click through without reading the fine print. Once installed, it modifies browser settings, displays pop-up advertisements, tracks browsing activity, and may install additional unwanted software without explicit consent.

Think you're infected right now? Disconnect from the internet immediately if you're seeing unusual pop-ups or browser redirects. Don't enter any passwords or financial information until you've scanned your system. Call us at (770) 692-4102 or bring your computer to our Roswell shop for a free diagnostic — we can typically remove PUPs like NewPlayer the same day.

Threat Profile

Attribute Details
Threat Classification PUP (Potentially Unwanted Program), Adware
Family NewPlayer/FakePlayer adware family
Common Aliases Adware.NewPlayer, PUA:Win32/NewPlayer, BrowserModifier:NewPlayer
Platforms Affected Windows 7, 8, 8.1, 10, 11 (both 32-bit and 64-bit)
First Observed Variants circulating since approximately 2015, with frequent rebrandings
Primary Distribution Software bundling, fake codec installers, misleading video player updates
Persistence Mechanisms Browser extensions, scheduled tasks, registry Run keys, startup folder entries
Primary Capabilities Ad injection, browser hijacking, tracking cookie installation, data collection, PUP installation
Typical Artifacts Files in %LOCALAPPDATA%\NewPlayer\, browser extension folders, registry modifications in HKCU\Software\NewPlayer
Network Behavior Connects to ad-serving domains, tracking servers; sends browsing data to third-party analytics platforms
Data at Risk Browsing history, search queries, clicked links, system information, potentially form data
Removal Difficulty Moderate — removes via standard tools but may leave browser modifications requiring manual cleanup

How It Spreads

The primary distribution mechanism for PUP.NewPlayer relies on user deception rather than technical exploitation. The operators behind this adware have refined their social engineering tactics over years, creating scenarios where users believe they're installing necessary or beneficial software. The most common vector involves fake video player updates that appear when users attempt to watch streaming content on questionable websites. A pop-up appears claiming the current video player is outdated or that a specific codec is required to view the content, prompting the download of what's actually the PUP installer.

Software bundling represents the second major distribution channel. PUP.NewPlayer frequently comes packaged with free applications downloaded from third-party software repositories, file-sharing sites, and download portals that monetize their offerings through pay-per-install arrangements. During installation, the unwanted program is presented in pre-checked boxes within "Quick" or "Express" installation modes, which most users select without reading the disclosure statements buried in lengthy terms of service agreements.

Common distribution vectors include:

  • Fake video codec installers — Pop-ups on streaming sites claiming "Flash Player update required" or "Codec Pack needed to play this video"
  • Bundled freeware installers — Legitimate free software repackaged with additional offers during installation wizards
  • Malvertising campaigns — Misleading advertisements on legitimate websites that mimic system notifications or software update alerts
  • Torrent downloads — Cracked software packages containing bundled PUPs as "bonus" installations
  • Email attachments — Less common, but occasionally distributed via spam emails disguised as software updates or utility tools
  • Compromised download buttons — Deceptive "Download" buttons on software portals that install PUPs instead of the desired application

What It Does On Your Machine

Once installed, PUP.NewPlayer immediately establishes multiple persistence mechanisms to ensure it survives basic uninstallation attempts. The program creates a dedicated folder structure within the user's local application data directory, typically under a name like "NewPlayer" or a GUID-based folder name to avoid detection. From this location, it launches background processes that monitor browser activity and inject advertisements into web pages as they load. These processes often run with elevated privileges if the user granted administrator access during installation.

The adware modifies browser configurations across all installed browsers — Chrome, Firefox, Edge, and others. It installs browser extensions or add-ons that cannot be easily removed through normal browser settings, often protecting them with policies that prevent user modification. These extensions alter the new tab page, change the default search engine to a partner search portal that generates revenue through redirected queries, and inject additional advertisements into search results and regular web pages. Users notice banner ads appearing where none existed before, pop-unders opening behind the main browser window, and in-text advertisements that turn random words on websites into clickable links.

Beyond advertising functionality, PUP.NewPlayer engages in extensive data collection. It tracks which websites users visit, what search terms they enter, which advertisements they click, and how long they spend on different pages. This information feeds into user profiling systems that build detailed behavioral profiles for targeted advertising. While the PUP's privacy policy (if one exists) might technically disclose this tracking, the disclosure is buried in unreadable legal language that no reasonable user would comprehend. Some variants also collect system information including operating system version, installed software, hardware specifications, and IP address.

Performance degradation becomes immediately noticeable on most systems. The constant ad injection requires significant processing resources, especially when multiple browser tabs are open. Users report slower page load times, increased memory consumption, and general system sluggishness. The network connection experiences higher utilization due to constant communication with ad servers and tracking domains. In severe cases, the volume of injected advertisements and pop-ups makes the browser nearly unusable for legitimate work.

Typical PUP.NewPlayer Filesystem Artifacts
C:\Users\[Username]\AppData\Local\NewPlayer\ npcore.exe // Main executable process npservice.dll // Service component library config.dat // Configuration file with C2 domains uninstall.exe // Fake uninstaller (often non-functional) C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Extensions\ [random-extension-id]\ // Browser extension folder Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NewPlayer = "%LOCALAPPDATA%\NewPlayer\npcore.exe" Scheduled Tasks: Task Name: NewPlayer Update Task Program: %LOCALAPPDATA%\NewPlayer\npservice.exe -update

Manual Removal — Step by Step

01

Disconnect and Document

Disconnect your computer from the internet by unplugging the Ethernet cable or disabling Wi-Fi. This prevents the PUP from downloading additional components or receiving updated instructions from its command servers. Take note of any unusual browser behavior, pop-up messages, or changed settings — this information helps verify complete removal later.

02

Boot into Safe Mode with Networking

Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and press F5 when the options appear. Safe Mode loads only essential drivers and services, preventing PUP.NewPlayer from launching its protection mechanisms that interfere with removal.

03

Uninstall via Control Panel

Open Control Panel > Programs > Programs and Features (or Settings > Apps on Windows 10/11). Look for entries named "NewPlayer," "New Player," or similar names with recent installation dates. Select the entry and click Uninstall. Be extremely cautious during the uninstallation wizard — many PUPs present misleading prompts trying to keep you as a "user" or install additional software. Decline all offers and click through to complete removal.

04

Terminate Running Processes

Open Task Manager (Ctrl+Shift+Esc) and examine the Processes tab for anything related to NewPlayer, including processes with random names running from %LOCALAPPDATA% folders. Right-click suspicious processes, select "Open file location" to verify, then End Task. Pay attention to processes that restart immediately after termination — these indicate additional persistence mechanisms you'll need to address.

05

Remove Startup and Scheduled Task Entries

Press Win+R, type shell:startup, and delete any shortcuts related to NewPlayer. Then open Task Scheduler (search for it in the Start menu), expand Task Scheduler Library, and look for tasks with names like "NewPlayer Update" or randomly-named tasks pointing to executables in your %LOCALAPPDATA% directory. Right-click these tasks and delete them. Also check the Registry Run keys by pressing Win+R, typing regedit, and navigating to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to remove any NewPlayer entries.

06

Delete the Program Folder

Press Win+R, type %LOCALAPPDATA%, and press Enter. Look for folders named "NewPlayer" or suspicious folders with random GUID names (long strings of letters and numbers). Delete these entire folders. If Windows reports that files are in use, the previous step didn't successfully terminate all processes — return to Task Manager and try again. You may need to take ownership of stubborn folders using the folder's Security properties.

07

Clean Browser Extensions and Reset Settings

Open each installed browser and remove suspicious extensions. In Chrome, go to the three-dot menu > Extensions > Manage Extensions and remove anything unfamiliar installed around the time problems started. In Firefox, click the menu > Add-ons and Themes > Extensions. After removing extensions, reset browser settings: Chrome (Settings > Reset settings > Restore settings to original defaults), Firefox (Help > More troubleshooting information > Refresh Firefox). This removes hijacked homepages, search engines, and injected settings.

08

Run Malwarebytes or Similar Scanner

Download and install Malwarebytes Free (from malwarebytes.com directly — avoid third-party download sites). Run a full system scan to catch any components, registry entries, or related PUPs you might have missed. Malwarebytes specifically targets adware and PUPs that traditional antivirus sometimes overlooks. Quarantine and remove everything it finds, then reboot when prompted.

09

Change Passwords from a Clean Device

If you entered any passwords while PUP.NewPlayer was active, change them from a different, known-clean computer or phone. While this PUP primarily focuses on advertising rather than credential theft, some variants bundle keyloggers or form grabbers. At minimum, change passwords for email, banking, and any accounts containing financial or sensitive information.

10

Reboot Normally and Verify

Restart your computer in normal mode and observe behavior for 24-48 hours. Verify that pop-ups have ceased, browser performance has returned to normal, and your homepage/search engine remain as you set them. Check Task Manager's Startup tab to ensure nothing suspicious has reappeared. If problems persist, professional removal may be necessary — the PUP may have installed rootkit-level components or additional malware beyond the scope of manual removal.

Prevention

  1. Always choose Custom/Advanced installation when installing free software. Read each screen carefully and uncheck any pre-selected boxes offering additional software, browser toolbars, or changes to browser settings. The few extra seconds spent reviewing installation options prevents hours of cleanup later.
  2. Download software exclusively from official sources. Avoid third-party download portals, torrent sites, and file-sharing platforms that bundle additional software with legitimate installers. Go directly to the software developer's official website, even if it means spending extra time searching for the correct URL.
  3. Keep your operating system and browser updated. Enable automatic updates for Windows and all browsers. Security patches often close vulnerabilities that malvertising campaigns exploit to push PUPs onto systems without full user interaction.
  4. Install a reputable ad-blocker. Browser extensions like uBlock Origin prevent many of the malicious advertisements and fake download buttons that lead to PUP installations. They also block connections to known adware distribution domains, stopping infections before they start.
  5. Ignore codec and player update prompts on websites. Legitimate websites never require special codecs or players — modern browsers handle all standard video formats natively. If a site claims you need to install something to view content, the site itself is the problem. Find the content elsewhere or skip it entirely.
  6. Run real-time protection software. Windows Defender (built into Windows 10/11) provides adequate protection if kept updated, but consider supplementing with Malwarebytes Premium for real-time PUP blocking. Configure your security software to scan downloads before execution.
  7. Create a standard user account for daily activities. Reserve administrator accounts for software installation and system maintenance. PUPs require administrator privileges to install system-level persistence mechanisms, so running as a standard user provides an additional barrier.
  8. Educate yourself and others who use your computer. Family members, employees, or anyone with access to your system should understand the basics of safe downloading and installation practices. Many infections occur when less tech-savvy users unknowingly approve PUP installations.
Our 90-Day Warranty — When Computer Repair Roswell removes PUP.NewPlayer or any other malware from your system, we stand behind our work with a 90-day warranty. If the same infection returns within that period, we'll re-clean your system at no additional charge. We also provide written documentation of what was removed and prevention recommendations tailored to your specific situation.

Bring It In

While the manual removal steps above work for straightforward PUP.NewPlayer infections, many cases involve complications that make professional removal the smarter choice. Some variants install rootkit components that hide from standard detection tools, modify system files requiring specialized repair procedures, or bundle additional malware that poses more serious security risks than the adware itself. If you've attempted manual removal and still experience pop-ups, browser redirects, or performance issues, the infection likely has deeper hooks into your system than basic tools can address.

Computer Repair Roswell has been cleaning PUPs, adware, and malware from Roswell-area computers since 2010. We use professional-grade tools and techniques not available to home users, often completing removals in under an hour while you wait. Our diagnostic service is free — bring your computer to our shop at 960 Mansell Road, and we'll identify exactly what's infected your system before you commit to any repairs. Call us at (770) 692-4102 or stop by Monday through Saturday. We'll get your computer clean, fast, and protected against reinfection.